Using real-time dark web monitoring to prevent and respond to cyber attacks

Threat actors will typically look on the dark web for sensitive and confidential information such as passwords, emails, data from past data breaches, etc. prior to initiating a cyber attack. This information is readily available for sale on dark web forums and marketplaces. Moreover, threat actors will often use the dark web (called a “TOR node”) for cover when they launch their attacks as this allows them to hide their IP address and physical location.

Cyber security experts like MNP also spend considerable time crawling the dark web. However, instead of looking for potential targets to attack, we have developed a platform that actively monitors dark web activity in real-time to catch client information leaks or signs of a cyber attack against a client. In addition, with this unique visibility, it is possible to predict upcoming attacks based on the reconnaissance and surveillance actions that the threat actors perform before they launch their actual attack.

An insurance organization approached MNP after they suffered a ransomware attack. Threat actors were able to extract sensitive data from the organization’s network and then make the files inaccessible — forcing the business to halt operations. They also threatened to leak sensitive data unless the organization paid a ransom.

The organization engaged MNP to assist with incident response activities (to put an end to the attack and restore network access) and implement dark web and compromise monitoring to determine whether the information was actively being sold on the dark web.

Generally, one possible solution many organizations use is creating aliases and building relationships on the dark web to get information. However, this is a slow process that often takes months or years to bear results. People use the dark web because it is anonymous and difficult to trace sources of information. Any intelligence must therefore be treated with a grain of salt given its source, timeliness, and conditions surrounding its disclosure.

To get around that challenge, MNP has a proprietary security feed that monitors dark web activity 24/7 to identify organizations that have been, or are being, attacked. This unique service provides real-time cyber intelligence to law enforcement agencies across Canada and elsewhere.

MNP asked the insurance company for the IP addresses, approximately 100 confidential files that were suspected to be breached, a list of keywords, executive names, and other client data. This data was then entered into the service platform to immediately begin 24/7 monitoring.

MNP was able to determine the kind of attacker the insurance company was dealing with and assured the organization that the attacks had stopped. This allowed the client to report the breach to the privacy commissioner, clients, and others, along with the steps they were taking to remediate the issue and protect the affected stakeholders.

MNP was able to identify outbound and inbound dark web connections and is still actively monitoring the dark web for the insurance organization, using the tailored file hashes and other information provided. Moving forward, MNP will promptly notify the organization in the event that the organization’s files are found on the dark web, or if it appears another attack is imminent, to ensure a proactive response.